Former presidential advisor Clarke addresses campus cybersecurity

From eSchool News staff and wire service reports

March 31st, 2004

Former presidential adviser Richard A. Clarke on March 26 praised Indiana University (IU) as the leader in U.S. higher education in protecting vast stores of information in its computer networks from hackers.

Clarke, who has drawn widespread attention in the past month for criticizing the Bush administration’s anti-terrorism efforts, was the keynote speaker at the first Indiana Higher Education Cybersecurity Summit, sponsored in part by IU’s Center for Applied Cybersecurity Research.

Clarke said universities have an obligation to safeguard information such as Social Security numbers, dates of birth, and even credit card numbers belonging to students, employees, and alumni.

“Universities around the country have enormous computing power, and that computing power is at many of those universities being hijacked … to attack other networks, flooding cyberspace with enormous amounts of information, bogus information, that causes networks to collapse and be unable to communicate,” Clarke said.

His conference appearance at Indiana University-Purdue University at Indianapolis followed his testimony March 24 in Washington before a commission investigating the Sept. 11 terrorist attacks.

In his March 26 speech, Clarke did not address his testimony. In a subsequent meeting with reporters, Clarke refused to discuss his accusation that the Bush administration scaled back the campaign against Osama bin Laden before the Sept. 11 attacks and undermined the fight against terrorism by invading Iraq–allegations he also raised in a book published last week.

Clarke, an adviser on counterterrorism for three presidents and cybersecurity adviser to the Bush administration, said there was more identity theft on the internet last year than ever before.

“The really bad news is 2004 is going to be worse,” he said. “What that says is there is chaos in cyberspace.

“We’ve seen that happen a lot, but never in the time of crisis. It could be, nonetheless, that an enem–be it a terrorist group or a nation-state–could in the future utilize university networks, the way hackers are [doing] on a regular basis now, to jam the internet and prevent it from being available to the government and first-responders.”

He said the University of California at San Diego last week had to notify tens of thousands of students, parents, faculty, and alumni that their privacy information had been compromised by hackers.

“That’s probably happening a lot more often than most universities know,” he said.

Clarke said Indiana University, however, has “set the gold standard” for cybersecurity.

“I’m glad to see that one university in this country, IU, is taking that seriously, and working with IU and other universities, we hope to be able to establish the sorts of practices that are now here at IU at other major colleges and universities,” Clarke said.

He would not say what Indiana is doing that other universities are not.

“One of the great things about cybersecurity is you don’t reveal all your tricks,” Clarke said. “You don’t reveal all the ways that you’re defending your network, because that makes it too easy for the hacker to get around them. Let me just tell you … I was mightily impressed. I’ve never found another university in this country that’s doing anything near as well as IU is.”

One aspect of IU’s cybersecurity plan, first reported by eSchool News on March 10, involves the use of a new kind of authentification technology for staff and faculty members who have access to sensitive school data. (See “Password-generator technology could safeguard school data,” http://www.eschoolnews.com/news/showStory.cfm?ArticleID=4942.)

The technology is known as a “two-factor” login system, because it requires users to enter two passwords before they can log onto the network: their standard, fixed identification and a computer-generated password that is much more difficult to crack. The technology is already in use by a growing number of banks, health-care organizations, and corporations to safeguard sensitive information–but IU is believed to be one of the first schools to deploy it.

In general, Clarke said, universities should educate their own students, faculty, and administration in cybersecurity and in writing more secure software.

“The reason we’re having these problems in cyberspace is we’ve turned out a generation of people with degrees in computer science and no understanding of cybersecurity,” he said.